On Sat, Nov 1, 2014 at 10:25 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 29.10.2014 11:41, Yann Ylavic wrote: >> I chose to use (MD5 digest) all the IP:port from the s->addrs list >> (ie. <VitualHost IP|*|_default_:port ...>), plus s->server_hostname >> and s->port (ie. ServerName, be it configured or not, knowing that in >> the latter case, apr_gethostname() is used fot the main server, and >> the main server's one is used for the vhosts). > > Just an observation on the digest you're proposing: while it doesn't > seem necessary to proactively kill MD5 in httpd when it is used for > non-crypto purposes (see also RFC 6151), I would prefer another digest > algorithm being picked for new things (apr_sha1_* perhaps, considering > that APR doesn't currently have SHA-2 support?).
I tend to agree, although SHA-1 is not much better wrt to security, and SHA-2 is not available in the minimal APR version(s) supported by httpd(s). In this case (non-crypto purpose, avoid non-malicious collisions), SHA-1's digest has 4 more bytes (per scoreboard entry here), is probably slower than MD5 (not in a fast path though), and this concerns 2.2.x only. Not sure it is worth the effort...